Open Stack

Hi all,

Ever since the gerrit upgrade, emails from review at openstack.org have
been going into my Junk folder, so I started looking at the headers and
related information to see if I could find any problems.

One thing I encountered is that the current SPF record:

$ host -t TXT openstack.org
openstack.org descriptive text "v=spf1 include:sendgrid.net ~all"

fails anything but mail sent via sendgrid. This excludes mail sent from
review at openstack.org directly off the gerrit server, and causes SPF to
softfail. Note that this SPF record does *not* impact the mailing lists,
as those are on a separate domain (lists.openstack.org) which has no SPF
record set whatsoever.

AFAICT, there are a limited number of servers that send mail with From:
addresses containing openstack.org, these include: emailsrvr.com (the MX
provider for openstack.org) and review.openstack.org. jeblair mentioned
on IRC that there may also be an 'openstackid-dev' email sending
account, but I was unable to find any email in my personal account from
that server.

There are two possible solutions:

1) Remove or drastically open the SPF record. Removing the record would
cause all email to resolve spf=none (like lists.o.o does currently), but
prevent openstack.org from gaining any protection against malicious
senders via SPF. Drastically opening the SPF record would be changing
the "~all" to a "+all" which would cause all sent email to pass SPF.

2) Make the SPF record accurate: "v=spf1 include:emailsrvr.com
include:sendgrid.net a:review.openstack.org ~all". For any additional
services that send mail for openstack.org, an additional
"a:my.host.name.openstack.org" would be added to the SPF record. Using
a: syntax for the records also ensures that in the case of something
like the recent gerrit migration, the SPF record would remain valid
without any modification.

There's obviously also a hybrid approach, where we add the known senders
of mail but change "~all" to "+all".

I strongly recommend we pursue option 2 -- this would mean if you know
of any other devices sending mail to @openstack.org, please reply to
this thread with the information so we can draft a valid SPF record.


Thanks,
Jay Faulkner

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 601 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140430/a579bb04/attachment.pgp>